Date: Sat, 17 Nov 2012 18:05:48 -0500 (EST) From: Trevor Johnson <trevor@jpj.net> To: freebsd-security@freebsd.org Subject: Re: Recent security announcement and csup/cvsup? Message-ID: <alpine.BSF.2.00.1211171758590.48317@blues> In-Reply-To: <CADLo83-kcQWBUXwtWka5Sd%2BsNaDFGBxZuKbDN5g5ZDOf1cuGQw@mail.gmail.com> References: <20121117150556.GE24320@in-addr.com> <CADLo83-kcQWBUXwtWka5Sd%2BsNaDFGBxZuKbDN5g5ZDOf1cuGQw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Chris Rees wrote: > On 17 Nov 2012 15:06, "Gary Palmer" <gpalmer@freebsd.org> wrote: >> >> Hi, >> >> Can someone explain why the cvsup/csup infrastructure is considered > insecure >> if the person had access to the *package* building cluster? Is it because >> the leaked key also had access to something in the chain that goes to > cvsup, >> or is it because the project is not auditing the cvsup system and so the >> default assumption is that it cannot be trusted to not be compromised? >> >> If it is the latter, someone from the community could check rather than >> encourage everyone who has been using csup/cvsup to wipe and reinstall >> their boxes. Unfortunately the wipe option is not possible for me right >> now and my backups do go back to before the 19th of September > > Checks are being made, but CVS makes it slow work. It sounds as though someone is reading all the RCS files. Is that what's happening? As I understand it, the doc, ports and src CVS repositories are now being generated from Subversion. According to the Web page about the breach, the Subversion repos are known to be intact. If known-good CVS trees from the time of the switchover to Subversion are available, couldn't updated CVS repos be made by running svn_cvsinject as described at http://sam.zoy.org/writings/programming/svn2cvs.html ? It says: If your CVS repository ever gets corrupted, you can reinject every SVN commit by restoring your backuped CVS tree and calling svn_cvsinject again for every revision since you used cvs2svn. It seems that this would be far less error-prone, and far less labor-intensive, than eyeballing everything. Is the plan to eventually shut down the anoncvs and CVsup services entirely? If so, shall the Gnats database be made available to the public through other means besides the query-pr CGI? I ask this after looking at http://www.freebsd.org/doc/en/articles/committers-guide/article.html#gnats . -- Trevor Johnson
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.1211171758590.48317>